At IRS, Two-Factor Authentication Means Waiting For a Letter in Your Mailbox

IRS Commissioner John Koskinen testifies on Capitol Hill in Washington, Tuesday, June 2, 2015

IRS Commissioner John Koskinen testifies on Capitol Hill in Washington, Tuesday, June 2, 2015 Jacquelyn Martin/AP

IRS officials cautioned members of Congress that if they make the login process too difficult, users might become even more frustrated with the tax agency.

You might assume the Internal Revenue Service online service for accessing tax returns exploited via a weak login system would quickly switch to two-factor authentication. After all, that's what Apple and Twitter did after the nude celebrity selfie breach and countless other high-profile tweet hijackings. 

But it's not that easy for a federal agency accustomed to combating fraud through postal mail and phone calls.  

IRS Commissioner John Koskinen told lawmakers Tuesday the agency had already begun weighing whether to offer PINs to all taxpayers, even before the security breach -- but warned the adjustment would be a major hassle for all. 

Meanwhile, identity thieves were able to retrieve prior year filings for 100,000 taxpayers and claim tens of millions of dollars in fraudulent refunds by overriding IRS' “Get Transcript" verification system. Between February and mid-May, the crooks got in by entering the victim's Social Security number, date of birth and street address, as well as correctly guessing answers to security questions, such as, “Which of the following is your mortgage lender?” 

Get Transcript has since been shuttered. 

While bank accounts and many social media services now require users to enter a second, secret form of identification, such as a PIN sent over SMS, Get Transcript does not. 

Taxpayers who have previously suffered ID theft are the exception. They are sent -- by snail mail -- an Identity Protection PIN.

"Right now, if you get an IP PIN, the requirement is you have to get a new one every year and you have to file forever with your IP PIN," Koskinen told senators during a hearing on the IRS breach.

"If we had a 100 million people with IP PINs out there and as they start losing them --- which people inevitably do -- we then suddenly have a major influx of calls and re-validations that go on that would be almost impossible for us at our present resource constraint situation to handle," he said. "But we are gradually working into it because for someone who has an IP PIN, it is added security."

The current Q&A process, known as knowledge based authentication, or KBA, is fallible, according to researchers.

A study published last month by Google found that secret questions generally offer less security and are more burdensome than passwords. One reason: The answers are hard for people to remember. The question method's "poor level of security, their unreliability for successful account recovery and the existence of alternative recovery options with significantly higher success rate motivated Google’s decision to favor alternative options (SMS, email) as a recovery mechanism" for the company's online services, according to Google's research. 

It should be noted that the IRS did send an email, containing the list of questions, when the user entered a Social Security number. But the agency never checked to make sure it was the taxpayer's valid email address. 

"That was one of the design flaws," Koskinen said. "Part of our problem is, because we don't communicate with taxpayers yet electronically -- we never send emails back or forth --  we have no security for them."

The head of the Homeland Security and Governmental Affairs Committee, which held the hearing, applauded the agency's move to take down the site, but urged immediate fixes.

"That is a corrective item that needs to be done almost immediately," committee Chairman Sen. Ron Johnson, R-Wis. said, referring to email security. 

IRS officials cautioned that if they make the login process too difficult, by adding more security questions or requiring everyone to apply for a PIN, users might become even more frustrated with the tax agency. 

With the current Q&A system, "already 22 percent of taxpayers can't answer their own questions," Koskinen said. "It means that the criminals are better able to answer the questions in some cases than the taxpayers."

Sometimes, online security has the effect of blocking out both the bad guys and the valid users. 

In 2013, before launching Get Transcript, "the debate inside was how many of those [questions] should we have?  What degree of confidence would we have if instead of asking four or five, if we asked 15 or 16" questions, IRS Chief Technology Officer Terence V. Milholland said at the hearing. Asking 16 questions increases the chances the user is who he or she claims to be to around 99 percent, "but that's then a burden on the taxpayer."

And having taxpayers wait by the mailbox for a PIN code so they can get fast access to transcripts didn't make sense to officials.

A "decision was made in 2013 about the level of risk we were willing to take," Milholland said. "For a lot of people, it's been very, very successful," with 23 million of them having successfully retrieved their previous year filings online. "But then again we had this incident, and that's the dilemma." 

His boss added, "We are going continue to have to assume that we're at risk..... Even as we harden this program and put it back up -- even then, we'll run on the assumption that we're at risk."